On March 19 of this year, hackers believed to be working for the Russian government sent an email to Hillary Clinton’s campaign chairman John Podesta. The phishing email that Podesta received contained a URL, created with the popular Bitly shortening service, pointing to a longer URL that, to an untrained eye, looked like a Google link.

Indeed, it later turns out that all these hacks were done using the same tool: malicious short URLs hidden in fake Gmail messages. And those URLs, according to a security firm that’s tracked them for a year, were created with Bitly account linked to a domain under the control of Fancy Bear, the Russian hackers.

Earlier reports suggest that Podesta fell for it at the firs sight, clicking the well-crafted email right when he saw it. But a new email published on WikiLeaks on Friday reveals that Podesta was suspicious of the phishing email, and asked Clinton’s IT staff for help.

Charles Delavan, the IT Helpdesk Manager for the Clinton campaign, appeared to fall for it too, however.

“This is a legitimate email,” Delavan responded, according to the leaked email. “John needs to change his password immediately, and ensure that two-factor authentication is turned on his account.”

Delavan was responding to an email from Podesta’s chief of staff Sara Latham, who had forwarded the fake Google alert email sent by the hackers. That email contained the Bitly link that security firm SecureWorks has linked to Fancy Bear, the same one believed to be behind the hack on the Democratic National Committee.

To Delavan’s credit, he did not suggest Podesta click on the email, but rather advised him to go to the real Google website where he could have changed his password and enabled two-factor.

“It is absolutely imperative that this is done ASAP,” Delavan wrote, sending the email to both Podesta’s chief of staff as well as the campaign’s Chief Information Officer.